Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: traceroute

From: Bill_Royds () pch gc ca
Date: Mon, 25 Jun 2001 11:14:52 -0400
Traceroute doesn't just use one port but many so a simple port allowed rule
won't work.
There are 2 major flavours to traceroute.
  The Unix one uses a series of UDP packets with increasing port numbers to
trace. You would need to allow these ports out, although you should only get
Time Exceeded/Port Not Available ICMP messages in reply.
   The Windows one uses ICMP echo packets with unique ID's for tracing. This is
more of a problem because you are lettting ICMP echo out and both ICMP echo
reply and Time Exceeded back in.
  The ICMP echo reply packet is what is used by Trinoo/Stacheldracht to control
its DDoS zombies, so it could problems for you.
There are firlewalls (Symantec Raptor for one) that have ping / traceroute
proxies. This is more secure. They detect and attempt to send ICMP echo on on
interface, send the echo from other and report the result back to internal
sender. This can also be controlled as to allowed source IP's and destination
IP's so you can allow a limited set of machines to traceroute.




"Wigg, Guy G" <GWigg () mail sbic co za> on 06/24/2001 08:33:13
                                                              
                                                              
                                                              
 To:      "'Firewall-Wizards (E-mail)'"                       
          <firewall-wizards () nfr com>, "'CISSP Forum'"         
          <cisspforum () yahoogroups com>                        
                                                              
 cc:                                                          
                                                              
                                                              
                                                              
 Subject: [fw-wiz] traceroute                                 
                                                              




Hi All

Just looking for a bit of advice please, our Internet Team wish to be able
to do traceroutes from our webservers onto the internet as they believe that
this will assist in resolving network problems that occur from time to time.
Currently we don't allow any ICMP from the Internet into our network/DMZ.
What would the risk be of allowing ICMP time exceeded packets into our
network? ( I presume this is all we need, to allow trace routes from our
webservers out onto the net?). I realise opening another port on the
firewall increases the risk, but is this a manageable risk?

thanks
Guy
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: